According to Microsoft Security Response Center (MSRC) research, Hackers can take unauthorized ownership of online accounts before their victims sign up for services.
Dubbed ‘account pre-hacking is the class of account in which the hacker sets an account takeover to exploit in motion before the victim’s registration with an online service. After the victim signs up, the attacker takes advantage of security holes in the services to validate mechanisms to access or to take over the ownership of new accounts.
One of the Identity Project Research Grants which was awarded by the MSRC has supported this research.
Andrew Paverd, a senior researcher at MSRC, and an independent researcher Avinash Sudhodanan said that they explored several topics in this project, but soon a pattern emerged around the pre-hacking threat model.
Account pre-hijacking imagines that the victim doesn’t have an account on the target service and the hacker knows the email and other details of the victim. Five types of pre-hacking attack schemes have been discovered by the researchers.
Due to these multiple account creation modes supported by online services, advantages are taking place. On many websites, users can directly enter their emails and passwords to create accounts or to use federated authentication by using a customer-focused sign-on(SSO)service, provided by likes of Google, Microsoft, and Facebook.
In a type of account, the attackers create an account with the email address of the victim. Then victim uses the federated approach to create an account. Due to this, the attacker’s and victim’s accounts get merged in some services, which gives them both simultaneous access to the same account.
In other types of attacks, the attacker creates an account with the victim’s email address and connects their federated identity to the same account. When the victim tries to create their account, they will end up resetting their password. The victim will get access to the account and the attacker will also get access through the SSO identity.
The researchers said that it is very good to see how many online services are trying to move towards single sign-on but this says that they have to support multiple login mechanisms. This is not necessarily an issue.
The researchers also said that they points out some subtle pitfalls to stay aware of when supporting multiple login mechanisms.
Paverd and Sudhodanan noticed that three of the attacks do not need the service to support multiple login mechanisms.
In this case, the attackers’ session can remain active even after the victim recovers their account and resets their password.
In another case, the attacker initiates an email change request to the attacker’s own email address.
In the study, the researchers examined 75 services that ranked among the top 150 high-traffic domains on Alexa’s list. Min 35 were affected by one or more account pre-hacking attacks, which include Dropbox, Instagram, LinkedIn, WordPress.com, and Zoom. All the affected services got aware of the vulnerabilities and have implemented the necessary arrangements.
Paverd and Sudhodanan said that they think that the lack of awareness is the main cause of these potential vulnerabilities. Therefore to raise awareness we have published this research.
The researchers conclude that, to check whether the user actually owns any user-supplied identifiers before using them to create a new account or adding them to an existing account. This would diminish all types of pre-hijacking attacks identified to date.
